Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Orome1 writes "Since Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits, CSIS has actively collected real time data from them for a period of three months. The purpose of their study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk. They monitored more than 50 different exploit kits on 44 unique servers / IP addresses. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates."

That's the theory behind Immunet, once one of the computers is infected by a new virus it's analyzed pretty much immediately and a signature is added before the virus has a chance to infect more machines. It doesn't stop new infections, but it does diminish the spread.

I'm not sure how well it ultimately works, but the basic theory behind it is sound.

Another thing that could happen would be for the ISP to throttle the connection back to dial up speed for infected computers downloading anything other than ant

An interesting thought, but something seems fishy there. How does immunet tell that a particular piece of malware is malware? If it can tell automatically, then why not simply prevent it in the first place and updates are not necessary as you now have the perfect AV. If you can't tell automatically, then it relies on an end user to recognize and prevent infection. At this point, it is really relying on the end user and is not really any better than conventional AV.

Well in theory, if you rigged a computer with a baseline install, and the 3 major browsers and perhaps flash, ran a script to make it visit random pages, but not download or install any files or programs, upon reboot any process running is almost certainly malicous.

The day that people stop clicking on "want bigger pen0r?" or "see x clebrity naked here" links is the day that 30% jumps to 90%.
The fact is is that a fully updated maintaned system is virtually malware proof if the user uses common sense.

But sadly, average users need better than this.Everyone on/. is at least computer literate, likely has fundamentals of data and system level security, and understands the importance of backups (even if they don't do it, they are accepting a known risk).The average user thinks that e-mails are private, that 'password' is a bad password but that 'pa$$word', 'mypassword', 'PaSsWoRd', and password123' are all good enough, and that their digital pictures are perfectly safe on their hard drive in their 5 year ol

I also think Linux is bad for the average user, because while it is more secure than Windows by default, if you muck with it you can cause vastly more damage to the system if you are in the "just enough knowledge to be dangerous" camp. Ubuntu goes a long way towards this, but it needs an even friendlier interface (IMHO) for system setup and config. We won't get that till an OEM adopts it seriously for end user platforms.

I have set up a laptop for 2 different client's wives with Ubuntu. Both were non-computer experts, and kept getting every infection known to man. After setting them up (Over 2 years ago) I never say those laptops again. I still see the clients, but they say the laptops are running perfect. Lost a lot of business there, and from happy clients.:) Ooops...

I used to do the bi-monthly schlep to my mother's house to clean off the latest Google-results-hijack/adware/trojans du jour. Finally one day I told her, "I got something for ya." Installed Ubuntu 10.04 LTS and haven't had a problem since. She's one very happy Linux user.

Installing a modern linux OS, is generally easier then windows, even for someone who has never used linux before.

typical linux install, insert CD, boot computer, click the install linux button (by default it will ask to downlaod the updates, and does so in this step), hit next, accept the defaults. computer boots back up, ready to go with a word processor, firefox and almost everything they need ready to go.

There are a few exceptions to the list, and it's not uncommon for windows to have all of the drivers ready for you, But oddly in all installs of linux I have done recently, everything I have ever thrown at it has been automatically detected and ready to go on reboot, and I do admit the antivirus would be necessary if linux were to ever fall into the common for average users to get category.

Even more salient is that only 13% of the successful infections relied on software that was Windows only (10% were IE exploits, 3% were Windows Help exploits).

All you folks encourgaging your friends and families to buy Macs for the specific reason of their security are in for a world of hurt in a few years when Mac hits ~30+% market share. Kits are already starting to appear.

But aren't you assuming that the other 87% are fully cross-platform? For instance Java and Flash vulnerabilities exist in both Linux and OS X but don't result in the same issue as those platforms are different. For example, a Flash vulnerability may allow the execution of a bundled.exe file; however that does nothing for Linux/OS X users. For them they would have to get scripts and even then bypass any default settings that don't allow scripts to run automatically.

exe files arent materially different than Linux / Mac bin files-- if you can tell the OS to execute arbitrary code, the extension is hardly meaningful.

Regardless, thats not how those exploits work. Machine-code is somehow slipped through the plugin's security measures, and is executed (buffer overflow, etc). That code then downloads the actual exe and dll files that are set up as the permanent infection, and will often attempt privilege escalation at the same time (and if successful, will often overwrite

The problem is that you are assuming arbitrary code execution rather than arbitrary file placement. Both are bad but there is less severity in file placement depending on where the file is located. If files can only be saved to user directories but not executable there is less risk. As for Pwn2Own there were different categories. One was code execution and one was file placement and one was reading user files.

Tbf, a large number leveraged flash and acrobat reader. Flash is not installed by default on Macs any more (though is likely to be installed as there's no alternative), acrobat reader is not installed, and is unlikely to be installed due to the existence of preview, and safari's native pdf rendering.

Flash is also not installed by default on Windows, nor is Java (though your OEM vendor may slip it in on you). That doesnt matter; the first time the user visits youtube, they will get Flash, and that will likely be the version of Flash they have for the next umpteen months until their local friendly geek updates them. (does Mac system update cover java?)

My friends & family run $OS with the browser running in an isolated user account, works quite well

So do most windows users. Luckily for the virus makers, its pretty easy to pester the user with a zillion gksudo / consent.exe prompts requesting elevation-- all it takes is clicking "allow" if you dont have a password set, and its all over.

The report only shows how many machines were running each browser or OS on the infected machines. They don't report how many machines in total had those browsers or OSes. So it may be that 100% of the Win98, Win2k and Win2003 installations were infected but they represent such a small subset of the total userbase that the percentages in the pie charts are also relatively small.

Additionally, the browser report doesn't break out different versions of IE and Firefox. The fact is a lot of people are still using

To think with GUI Operating System versions it began with Microsoft's rather optimistic view, with regards to ActiveX, nobody on another networked computer would every think of invading your computer, manipulating it, installing software on it and controlling it.

Big fan of OTR and impressed when I heard a radio play from the 1950's which predicted unprotected computer hardware being infected... so the concept wasn't new.

I also spent my early years on a mainframe system, where we were always vigilant to keep

Salient point is that, fully updated and patched installs let 70% of the infections through.

This proves that no amount of software development can overcome human stupidity.

I haven't used an antivirus program in over 15 years and have not had any infections in about as long. I do download a free trial of some random antivirus program every year or so and just do a full manual scan before I uninstall it though.

I like to tell people that the best antivirus that you can possibly install lies between your ears.

Stupid users eh? Explain the following: Yesterday I visited the top site google provided for a search I did. I was not searching for anything particularly exotic or deviant, certainly not pornographic or illegal. Immediately on visiting the site with my Windows 7 machine, Microsoft Security Essentials pops up to alert me of a "severe" threat (Trojan:JS/BlacoleRef.A) it had located in my browser cache (Firefox 7.01). I did what the security program said, and it says the threat was removed. I have no idea if it was removed or not, my only choice with such an obfuscated, complicated OS is to assume that the tools I am given are not lying to me and are doing the job that they are.

However should I be infected in the above scenario, how exactly does this make me a "stupid user"? I've had a PC since the late 1970's. I can code in ASM, Cobol, Fortran, Basic, C, C++. I like to think I know how computers work. I don't click "Yes" to everything, and I don't run programs from dubious sources anywhere other than a virtual machine. Should I be going through my registry and boot files daily to not be a "stupid user"? Isn't that what an OS is supposed to do for me - take care of the basic functions of my machine while I run the programs I need? Are you just going to troll me by saying "use linux instead you noob"?

Are you just going to troll me by saying "use linux instead you noob"?

User Virtual Box to browse, you stupid Noob!:) It is actually almost to this point. Some of the exploits even work on Linux. Only as the running user, however, so a root exploit means you were a stupid Linux noob running as root. (So far anyway. Tomorrow may be different.)

Your anecdote perfectly illustrates why we need to run AV scanners on our machines. It doesn't matter how careful we are, we are not immune to drive by attacks.
At this point, the typical slashdot response is "Run AdBlock/NoScript". This doesn't always guarantee that you'll be safe because what happens if the "safe" site you regularly visit has been compromised and the script you're about to allow is no longer safe?
AV packages add another layer of defense [wikipedia.org], and this is a good thing.

Sorry, I kid, I kid. But seriously, I feel your pain. My brother put a virus on my PC when he viewed a video about how to teach a kid to ride a bike. Go figure. What I've taken to doing is doing my web browsing in a Vitual Box running Ubuntu + Chrome. It's pretty bullet proof, and even if it gets through it's tough to get out of the V-Box (Yeah, I know it can be done, but who does it?).

Unless the scanner didn't know the virus yet. I think you'll find that they don't know about anything from the last month or so. If you check virus total with the various binaries you collect on a mail server, you'll find that literally *most* of them don't get caught in any consistent way by any majority of the virus scanners listed there. It's not just that virus scanners suck, it's that the don't work for anything but the oldest stuff. So I hope UAC can do the job and it isn't a userspace malware set

No I agree. Especially if you learn to code in a cookie-cutter university environment. However I taught myself everything I know about computers back when computers were far simpler than today. I knew how to peek and poke to memory, deal with interrupts and DMA channels and even sometimes write my own drivers before most of today's coders left their diapers. I have intimate and fairly obsolete knowledge not only of CPU's and their supporting chips, but I understand on a fundamental level how a computer work

Salient point is that, fully updated and patched installs let 70% of the infections through.

[citation needed]

I know you are not supposed to read the Fine Article, but not even the summary? The summary quotes the very article to mention the 31.x% statistic.

The article also says 99.8% of the infections happened due just five software. Cant understand that. On top of it, it splits Adobe into two pieces Flash player and Pdf reader. Thus the top prize goes to Java JRE. But there it clubs an array bounds violation with ActiveX vulnerability in the deployment tool. Looks like the article has the stench of a shill sett

According to the article, IE ranks fourth! Java JRE ranks first, Adobe Flash and Adobe Pdf reader takes the next two places. I think combining these two, Adobe is the king of the hill now in being the vector of disease. Not that it is any surprise.

Java JRE issue is confusing. If the problem is with Java and specs, it should be platform independent. So it is the Windows implementation that is at fault? I don't know.

Java JRE, so, disable it. I haven't found a single site that depends on it, the add-on seems to install by default (I just want the runtime, not the browser add-on...) and only use in the browser seems to be an attack vector.

And It's not a problem with the specs I think, it's the problem that the Java JRE is huge, and a single exploit in a single feature is a problem.

Yes, people who actually deal with such issues for a living have known this for some time. The difference between browsers is rapidly becoming moot-- the market share of any one browser is too diluted to be worth targetting when compared with the widespread adoption of Flash, Java, Acrobat, and Quicktime.

There are some cases where it is conceivable that IE would be more secure than firefox, given the huge leaps made between IE6 and IE9 over the last 4 years.

I am getting this pop up ad for Norton anti-virus. That would not be unusual except for the fact that the only way I can see to get rid of it is to click the accept button. There is no x or a no thanks button on it. I have microsoft anti-virus and I also have Iobit windows care program and I run firefox with their pop up blocker. Even with all of that I still get that pop up. I will not accept just because they do not have a easy way to decline.

The JRE issue is simple. The JRE is being exploited to deliver Windows malware. Linux or other OSes can get "infected" by the same exploit, but since the payload code is for Windows it won't run on other OSes. The JRE is just the delivery method, it's not actually running the malware.

The big issue with Java is that while it is platform independent, it is not version independent. There are many many Java apps that require a specific version of the JRE and will not run on a newer one. So if you need t

I wish this were true.So many enterprise apps are Java (not JS) it is frightening.I maintain a whitelist for JVM apps allowed in the browser rather than uninstalling it. Annoying, but I can not do my job without it, nor can my wife go to school without it (on-line classes use it for the "classroom app").-nB

Looking at the graphs and statistics, I ended up wishing they'd factored in usage share, to make the numbers more meaningful.

I mean, if (say) 70% of users used XP and 30% of users use Win7, then seeing 70% of the exploits on XP and 30% of the exploits on Win7 doesn't tell you much other than there's an exploit that is the same across them. It does NOT mean that XP is more vunerable than Win7. Ditto the breakdown by browsers. Without usage share factored in, the numbers can be misleading in either direction.

In the control panel, it can tell me which versions of the ActiveX (IE) and plugin (Firefox, etc) are installed, but when I manually ask to check for updates it sends the default browser to the Flash download page.

What a completely lame-brained approach--the control panel should check for, download and install updates itself, or pass it off to an Adobe Update app, or *something* that doesn't require manually downloading and installing a fresh copy of *bot

Unfortunately I run into areas where I am unable to upgrade the JRE due to incompatibilities with newer versions. For instance, in dealing with a Dell DRAC, the old Chassis says it'll support 1.4_5 something or other or newer. The problem is with the exact version it works fine but upgrading JRE on my system causes it to fail and refuse to start up the console java app. So I have a Windows laptop at my desk that is kept at that specific version of the JRE so I can continue to access the chassis until it's replaced. It's just one example but it's one I have to deal with on a periodic basis.

I have clients that can't use their check scanner for online corporate banking if JRE gets upgraded. Of all the PCs in the office, that's the one you do NOT want to get infected with a rootkit and keylogger for obvious reasons.

My solution is to just keep the old laptop around but not use it for anything but that specific task. So it sits in a drawer and every month or so I have to break it out, turn it on, and check out the console for the server that stopped responding to the network for some reason. If it doesn't get on the 'net, there isn't much of a chance of it getting infected.

Granted but I do from the system I use to access the DRAC. The issue is that my Windows box has to stay at a specific version of the JRE in order to continue to access the DRAC. So upgrading the JRE isn't possible. Fortunately I've received a new laptop so the old Windows one just sits until I need it to access the DRAC.

They need to incorporate the option of turning on automatic, silent upgrades like Google Chrome has - many end users don't recognize the "Hey I've got an update" balloons on their machines, and just ignore them until they wind up several versions out of date. Also, Adobe needs to cut out this "reboot required" nonsense for Adobe Reader. Not everyone is able to reboot machines at a drop of a hat, and it's annoying to have to schedule a reboot on a server for a program that didn't require a reboot for insta

Silent updates is the worst idea ever. Something that worked yesterday, stops working today - and I have no clue why.It is OK for some users to enable automatic updates (e.g. if you use only a Web browser and no specific plugins), but even then: Make the users aware about each update. Most users are far better off with a planned update.

That only works if users actuall install the updates. Best case scenario, they actually call IT and ask about it and make us install it for them. Worst case scenario, they ignore it and we don't find out about it until six months later when they're system is suddenly infected beyond repair because they double clicked a fake UPS attachment reciept.

The majority of infections are (in order): JRE, Acrobat Reader, Flash, and a minority are actual browser exploits and/or Quicktime exploits. No word on the versions but I expect that they are all well-known and long-patched holes.

Part of the reason I run with Java disabled, Flashblock installed, etc.

I can't tell you how much I wish Windows Update would update other applications.. I guess I've turned into a crusty, bearded old Linux geek.. but one command to update everything kind of spoils you. (and being able to install and uninstall more than one application at a time is nice too).

According to my colleague, the option is there for Win7 to do that now. It's apparently the software vendors who need to integrate their apps into it. I doubt Adobe and Oracle will do that without being pushed though, there probably is something in the rules against pushing extra toolbars and such when updating.. they love doing that.

I must admit I always had some suspicions of web browsers that visit dozens of websites before they even visit your own home page. Running 'tcpdump -vv' and 'netstat -a', while a browser is very enlightening, even more so when doing 'whois' on those websites I've never heard of.

Never could understand why 'firefox' was opening a shttp link to weather.noaa.gov, or who "stopbadware.org" was.

weather.noaa.gov is the stupid toolbar something added. stopbadware.org is the firefox link scanning site trying to keep you safe from "bad websites" but only after they have infected lots of folks, and for a while after they are cleaned up... The other 52 websites on a given page are adds, and google analytics.

One might wonder how you ever manage to read headlines if you cant grasp the concept of implied words. Its not exactly uncommon for a headline to drop words, nouns and verbs alike.

Why, Msn.com has the headline "Dust storms, Bear attacks, more". Oh noes! Theres no verb in those sentences! WHAT are the dust storms doing? Or perhaps the dust is currently storming, and its the object of the attacks and storms that we are missing? However will we decode this headline? And what is the bear attacking?

"Storms" and "attacks" are both verbs. The dust is storming, the bear is attacking. There was an s missing from the headline. It's a Slashdot meme to make jokes about the poor editorial quailty. You need to relax and get over it.

Not correct. You might be able to make the case for "attacks" being a verb, but ONLY if it is referring to a single bear doing the attacking. If it is referring to several incidents, it would be "bear-attack", plural-- that is "bear attacks" (noun).

Dust storm, however, is a noun, and I have never heard the usage that would indicate the dust was storming something-- you would have to think the dust was breaching the walls of something, which is a bit of a stretch.

No, it's called shitty application developers that don't want to leverage the tools Microsoft provides for securing their applications.I've gotten arguments from developers who SWEAR they can do it better--and by better, I mean "I should be able to put my application anywhere on the system and the system shouldn't be exploitable by any bugs in my code."

I shit you not, we argued over this for a while.

Microsoft provides developers every tool they need to make a Windows application that can operate on least pr